Presently, there is an on-going emergence of service-oriented computing, where services are located, accessed, and provided in the Internet. Typically, these services are effected by service applications that reside and run on a number of application servers such that a user accesses one service application running on one server, other service application running on another server and so on. These services include e.g. Web services, where a client application retrieves content of Web pages from Web servers by means of the HTTP (HyperText Transmission Protocol) protocol, communication services, such as instant messaging or voice messaging that a client application uses by means of e.g. the SIP (Session Initiation Protocol) or the H.323 protocol, or application services, where applications e.g. execute tasks in remote applications by means of e.g. SOAP (Simple Object Access Protocol) messages.
Traditionally, services residing and running on the Internet have been accessed by using computers that are connected to the Internet through wired connections, such as LANs (Local Area Networks) or telephony lines by means of e.g. ISDN (Integrated Services Digital Network) or ADSL (Asymmetric Digital Subscriber Line) connections. Computers may also connect to the Internet through a wireless access network, such as WLAN (Wireless Local Area Network). As today's mobile devices and mobile telecommunication networks typically support packet data connections, such as GPRS (General Packet Radio Service) or UMTS (Universal Mobile Telecommunication System) packet data connections, mobile devices can access services on the Internet through these packet data services. A modern mobile device also supports WLAN, so the mobile device can also access the Internet through a WLAN access network in a similar manner as a computer supporting WLAN.
In addition to the increasing usage of Internet-based services, services provided in mobile or pervasive computing environments are becoming commonplace. In such environments, interconnected computing devices, such as mobile devices, access services running on other devices. The devices can be interconnected e.g. by using short-range radio communication, such as Bluetooth®.
Some services on the Internet or in the mobile or pervasive computing environment may be available to everyone wishing to access the services, meanwhile access to other services may be restricted to authorized users only. In the latter case, access to the service is typically granted after a successful authentication and authorization of a user who requests access to the service.
As noted hereinbefore, a user may access services on a number of servers and/or from a number of service providers. If the services have restricted access, the user may have to be authenticated and authorized for each service separately. The user may have different authentication credentials, such as username and password, passphrase, PIN (Personal Identification Number), security token, or certificate, for each service, and the user may have to provide the authentication credentials at the authentication phase for each service every time the user accesses the services. This is quite inconvenient, even though the submission of the authentication credentials may be facilitated by means of e.g. a smart card or a data entity, such as a digital certificate.
In order to alleviate the above described inconvenience with respect to a user having a plurality of authentication credentials, a number of techniques for Single Sign-On (SSO) have been developed. A framework for SSO has been specified e.g. by the Liberty Alliance Project in the Liberty Identity Federation Framework (ID-FF) specification.
In SSO according to the Liberty ID-FF, the management and authentication of service requesting clients is done by one or more authentication providers referred to as Identity Providers (IdP) which are separated from the services providing entities referred to as Service Providers (SP) that e.g. operate web sites or other services. This separation has a number of advantages, the most important one being that a user no longer needs to remember multiple usernames and passwords for multiple services or reuse passwords and thus compromise their security.
In a Liberty ID-FF environment, a Liberty-enabled client is initially authenticated by an Identity Provider using the client's credentials for the Identity Provider. When the client requests service from a Service Provider, the Service Provider requests authentication of the client from the Identity Provider. If an association (or federation) between the client's IdP identity and identity at the Service Provider has already been established, the IdP can confirm (assert) the client's identity to the Service Provider. In case the association or federation between the identities has not yet been established, the client may have to authenticate at the Service Provider with its credentials for the Service Provider in order for the IdP to establish the identity federation.
If a trusted circle of Service Providers that have entrusted the IdP with authenticating service requesting clients on their behalf comprises a vast number of said Service Providers, the number of authentication requests from the Service Providers to the IdP may be huge. This may cause congestion at the IdP and result in delays in responding to the authentication requests, or refusals of authentication requests, which may render Service Provider services unavailable.